diff --git a/hosts/default.nix b/hosts/default.nix index e2f93f0..0d03a03 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -173,4 +173,24 @@ in { } ]; }; + haru = nixosSystem { + inherit system; + specialArgs = {inherit inputs;}; + modules = [ + ./haru + sopsModule + hmModule + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.notoh = { + imports = [ + ./haru/home.nix + ]; + }; + }; + } + ]; + }; } diff --git a/hosts/deploy.nix b/hosts/deploy.nix index 9bf4510..ed64275 100644 --- a/hosts/deploy.nix +++ b/hosts/deploy.nix @@ -60,5 +60,15 @@ inputs: { sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; magicRollback = true; }; + haru = { + hostname = "100.73.192.45"; + profiles.system = { + user = "root"; + path = activate.nixos inputs.self.nixosConfigurations.haru; + }; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; + }; }; } diff --git a/hosts/haru/default.nix b/hosts/haru/default.nix new file mode 100644 index 0000000..445de1b --- /dev/null +++ b/hosts/haru/default.nix @@ -0,0 +1,33 @@ +{...}: { + imports = [ + ./hardware-configuration.nix + ./services + ./networking.nix + ../../modules + ]; + + boot.loader = { + grub = { + enable = true; + configurationLimit = 5; + device = "/dev/sda"; + useOSProber = false; + }; + }; + + networking = { + hostName = "haru"; + }; + + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + users.users.notoh.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdSO5g6IZQUzeH0Xf7hEVjKZ4cAWn/DjN+GQ2Ujd+qD haru" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" + ]; +} diff --git a/hosts/haru/hardware-configuration.nix b/hosts/haru/hardware-configuration.nix new file mode 100644 index 0000000..9ee1122 --- /dev/null +++ b/hosts/haru/hardware-configuration.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/06177115-2e39-493b-81fb-5a1980ae0534"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/c879fa21-fd80-422c-9aef-0becce5ff19c";} + ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/haru/home.nix b/hosts/haru/home.nix new file mode 100644 index 0000000..c7eafac --- /dev/null +++ b/hosts/haru/home.nix @@ -0,0 +1,14 @@ +{...}: { + imports = [ + ../../home + ]; + + systemd.user.startServices = "sd-switch"; + programs.home-manager.enable = true; + + home = { + username = "notoh"; + homeDirectory = "/home/notoh"; + stateVersion = "23.05"; + }; +} diff --git a/hosts/haru/networking.nix b/hosts/haru/networking.nix new file mode 100644 index 0000000..ccd8dbf --- /dev/null +++ b/hosts/haru/networking.nix @@ -0,0 +1,17 @@ +_: { + networking = { + networkmanager.enable = true; + nameservers = ["1.1.1.1"]; + firewall = { + enable = true; + }; + }; + environment.etc = { + "resolv.conf".text = '' + nameserver 1.1.1.1 + nameserver 1.0.0.1 + ''; + }; + + services.tailscale.enable = true; +} diff --git a/hosts/haru/services/blocky.nix b/hosts/haru/services/blocky.nix new file mode 100644 index 0000000..24b3296 --- /dev/null +++ b/hosts/haru/services/blocky.nix @@ -0,0 +1,132 @@ +{...}: { + networking.firewall.allowedTCPPorts = [53 4000]; + networking.firewall.allowedUDPPorts = [53]; + + services.blocky = { + enable = true; + settings = { + connectIPVersion = "v4"; + upstreamTimeout = "30s"; + startVerifyUpstream = false; + minTlsServeVersion = "1.2"; + log = { + level = "debug"; + privacy = true; + }; + ports = { + dns = 53; + http = 4000; + https = 443; + }; + upstream.default = [ + "1.1.1.1" + "1.0.0.1" + "9.9.9.9" + "https://1.1.1.1/dns-query" + "https://dns.quad9.net/dns-query" + "https://dns-unfiltered.adguard.com/dns-query" + ]; + blocking = { + loading = { + strategy = "fast"; + concurrency = 8; + }; + blackLists = { + ads = [ + "https://blocklistproject.github.io/Lists/ads.txt" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" + "https://adaway.org/hosts.txt" + "https://v.firebog.net/hosts/AdguardDNS.txt" + "https://v.firebog.net/hosts/Admiral.txt" + "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" + "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" + "https://v.firebog.net/hosts/Easylist.txt" + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" + ]; + tracking = [ + "https://v.firebog.net/hosts/Easyprivacy.txt" + "https://v.firebog.net/hosts/Prigent-Ads.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" + "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" + ]; + malicious = [ + "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" + "https://v.firebog.net/hosts/RPiList-Phishing.txt" + "https://v.firebog.net/hosts/RPiList-Malware.txt" + ]; + misc = [ + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-only/hosts" + ]; + }; + whiteLists = { + default = [ + "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" + # "https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt" + ]; + }; + clientGroupsBlock = { + default = [ + "ads" + "tracking" + "malicious" + "misc" + ]; + }; + }; + customDNS = { + customTTL = "1h"; + mapping = { + # infra + + "truenas.internal.flake.sh" = "192.168.1.199"; + "assistant.internal.flake.sh" = "192.168.1.189"; + "dashboard.internal.flake.sh" = "192.168.1.36"; + "udm.internal.flake.sh" = "192.168.1.1"; + "pve.internal.flake.sh" = "192.168.1.37"; + + # media + + "jellyfin.internal.flake.sh" = "192.168.1.36"; + "jellyseerr.internal.flake.sh" = "192.168.1.36"; + "sonarr.internal.flake.sh" = "192.168.1.54"; + "radarr.internal.flake.sh" = "192.168.1.54"; + "bazarr.internal.flake.sh" = "192.168.1.54"; + "prowlarr.internal.flake.sh" = "192.168.1.54"; + "stash.internal.flake.sh" = "192.168.1.36"; + + # misc + + "wallos.internal.flake.sh" = "192.168.1.36"; + }; + }; + redis = { + address = "100.94.214.100:6381"; + password = "blocky"; + database = 2; + required = false; + connectionAttempts = 10; + connectionCooldown = "5s"; + }; + caching = { + minTime = "2h"; + maxTime = "12h"; + maxItemsCount = 0; + prefetching = true; + prefetchExpires = "2h"; + prefetchThreshold = 5; + }; + prometheus = { + enable = true; + path = "/metrics"; + }; + }; + }; +} diff --git a/hosts/haru/services/default.nix b/hosts/haru/services/default.nix new file mode 100644 index 0000000..06c90a7 --- /dev/null +++ b/hosts/haru/services/default.nix @@ -0,0 +1,5 @@ +_: { + imports = [ + ./blocky.nix + ]; +}